New intuitive web-based interface allows multi-user access London, UK – November 2016 – Acunetix, the pioneer in automated web application security software, has announced the release of version 11. New integrated vulnerability management features extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. Version 11 includes a […]

As part of my job here at Acunetix, from time to time I analyze source code looking for security problems. Using this information I adjust Acunetix WVS to detect these problems automatically (when it’s possible).

Monday, I downloaded e107 from e107.org and started analyzing the code. e107 is a popular content management system written in PHP.

is used for authentication. If you modify your browser cookies and set a cookie named access-admin with a value like md5(value) = ‘cf1afec15669cb96f09befb7d70f8bcb‘ you will get access to a PHP shell.

As I didn’t knew the exact value to use, I commented out this line to see how to PHP shell looks like and what can be done with it.

It’s a known PHP shell, I’ve seen it before a few times. It’s pretty powerful, you can execute system commands, execute PHP code, edit&rename files, create files and/or directories. You can also upload new files and browse the file system using the current web server privileges.

BTW, if you search on Google using a few words from this shell (like ~:(expl0rer):~) you will find a bunch of live shells indexed by Google. Most of these sites seem to be running RSGallery (a Joomla! component). I will try to contact these people about their websites being hacked.

Back to e107: I’ve informed the guys from e107.org and a few hours later the problem was fixed.

Here is what happened:

A few days ago, somebody found and exploited a e107 0day (for 0.7.16) on some websites. The e107 guys were informed about this and released 0.7.17 to fix this problem.

However, at this point I suspect they were already hacked because they are running e107 on e107.org and they were an obvious target.

The attackers waited until they released the security fix (0.7.17) and modified the zip file to include the backdoor.

At this point, most e107 site owners were rushing to upgrade because of security update announcement and I suspect that many people have downloaded the backdored binary.

So, if you’ve downloaded e107 in this weekend you have a backdored binary and you should remove it from your website and download a new copy.

So, you must know the value for the cookie to get access to the shell.

About disclosure: I was trying to let people know about the backdoor as soon as possible. The more time would pass, more people would download the backdoor. When I find a vulnerability in a web application, I inform the vendor and wait until they fix the problem. However, this was a special case: there was no vulnerability, the more time would pass more people would get the backdoor and if you don’t know the value for the cookie you cannot get access to the shell. Therefore, I’ve decided to publish the information as soon as possible.

@Carsten: The details about the 0day vulnerability in e107 were not publicly released.